Matthew Miller wrote:
[snip]
>> So the "method of getting root privileges" is "regular users of their
>> own machines" running random executables (like the ones downloaded by a
>> script kiddie) as root.
>>
>> I'm interested in hearing how you would like to close this
>> vulnerability.
>
> In this case, some simple "don't do that" would have helped. But in the
> case of the sort of tricks that work on Windows users ("But the e-mail
> came from my friend!" "I wanted to see the funny animation it said was in
> there!") can work on Linux users too.
Only if you read your e-mail as root, which there is no reason to do.
> We need to *address* that, not just
> say "this is approximately zero threat". Obviously education is part of
> it. A more sophisticated SE Linux could be another.
A more sophisticated SELinux would require a more sophisticated user to
administer it. Catch-22.
--
William Hooper
